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Abstract — The universal secure network coding presented by 
Silva et al. realizes secure and reliable transmission of a secret 
message over any underlying network code, by using maximum 
rank distance codes. Inspired by their result, this paper considers 
the secure network coding based on arbitrary linear codes, 
and investigates its security performance and error correction 
capability that are guaranteed independently of the underlying 
network code. The security performance and error correction 
capability are said to be universal when they are independent 
of underlying network codes. This paper introduces new code 
parameters, the relative dimension/intersection profile (RDIP) 
and the relative generalized rank weight (RGRW) of linear 
codes. We reveal that the universal security performance and 
universal error correction capability of secure network coding 
are expressed in terms of the RDIP and RGRW of linear codes. 
The security and error correction of existing schemes are also 
analyzed as applications of the RDIP and RGRW. 

I. Introduction 

In the scenario of secure network coding introduced by Cai 
et al. [2], a source node transmits n packets from n outgoing 
links to sink nodes through a network that implements network 
coding [1,11,13], and each sink node receives n packets from 
n incoming links. In the network, there is a wiretapper who 
observes //(< n) links. The problem is how to encode a secret 
message into n transmitted packets at the source node, in such 
a way that the wiretapper obtain no information about the 
message in the sense of information theoretic security. 

As shown in [6], secure network coding can be seen as a 
generalization of the wiretap channel II [18] or secret sharing 
schemes based on linear codes [3,5] for network coding. 
Hence, in secure network coding, the secrecy is realized 
by introducing the randomness into n transmitted packets as 
follows. Suppose the message is represented by I packets 
Si,..., Si (1 < / < n). Then, the source node encodes 
(S i , . . . , S i) together with n - 1 random packets by linear codes, 
and generates n transmitted packets [6,17,21]. 

Silva et al. [21] proposed the universal secure network 
coding that is based on maximum rank distance (MRD) 
codes [8]. Their scheme was universal in the sense that their 
scheme guarantees that over any underlying network code, 
no information about S leaks out even if any n - I links are 
observed by a wiretapper. As shown in [21], their scheme with 
MRD codes is optimal in terms of security and communication 
rate. However, there exists some restrictions in universal secure 



network coding with MRD codes. In their scheme, the network 
must transport packets of size m > n. The MRD code used in 
the scheme is defined over an WL,, where F 9 » is an m-degree 
field extension of a field F 9 with order q. Thus, the size of the 
field Fqm increases exponentially with m, and the restriction of 
MRD codes with m > n invokes the large computational cost 
for encoding and decoding of MRD codes if n is large. It is 
undesirable especially in resource constraint environments. 

Considering secure network coding without such a restric- 
tion, Ngai et al. [17], and later Zhang et al. [25], investigated 
the security performance of secure network coding based on 
general linear codes. They introduced a new parameter of 
linear codes, called the relative network generalized Hamming 
weight (RNGHW), and revealed that the security performance 
is expressed in terms of the RNGHW. The RNGHW depends 
on the set of coding vectors of the underlying network code. 
Hence, the RNGHW is not universal. 

The aim of this paper is to investigate the security perfor- 
mance of universal secure network coding based on general 
linear codes, which is always guaranteed over any underlying 
network code, even over random network code. This paper 
defines the universal security performance by the following 
two criteria. One is called the universal equivocation ©^ that 
is the minimum uncertainty of the message under observation 
of ju(< n) links, guaranteed independently of the underlying 
network code. The other is called the universal Q.-strong 
security, where O is a performance measure such that no 
part of the secret message is deterministically revealed even 
if at most Q. links are observed. The paper [12] proposed a 
specific construction of the secure network coding that attains 
the universal (n - l)-strong security, and such a scheme is 
called universal strongly secure network coding [20]. Namely, 
the definition of universal Q-strong security given in this paper 
is a generalization of universal strongly secure network coding 
considered in [12,20] for the number of tapped links. 

In order to express and Q in terms of code parameters, 
this paper introduces two parameters of linear codes, called 
the relative dimension/intersection profile (RDIP) and the 
relative generalized rank weight (RGRW). The RGRW is a 
generalization of the minimum rank distance [8] of a code. We 
reveal that ©^ and Q. can be expressed in terms of the RDIP 
and the RGRW of the codes. Duursma et al. [5] first observed 



that the relative generalized Hamming weight [14] exactly 
expresses the security performance and the error correction 
capability of secret sharing. Our definitions of RGRW and 
RDIP are motivated by their result [5]. 

Assume that the attacker is able not only to eavesdrop but 
also to inject erroneous packets anywhere in the network. 
Also assume that the network may suffer from the rank 
deficiency of the transfer matrix at a sink node. Silva et 
al.'s scheme based on MRD codes [21] enables to correct 
such errors and rank deficiency at each sink node, where its 
error correction capability is guaranteed over any underlying 
network code, i.e., universal. This paper also generalizes their 
result and reveals that the universal error correction capability 
of secure network coding based on arbitrary linear codes can 
be expressed in terms of the RGRW of the codes. 

The remainder of this paper is organized as follows. Sect. II 
presents basic notations, and introduces linear network cod- 
ing. Sect. Ill defines the universal security performance and 
universal error correction capability of secure network coding 
over wiretap network. Sect. IV defines the RDIP and RGRW of 
linear codes, and introduces their basic properties. In Sect. V, 
the universal security performance is expressed in terms of the 
RDIP and RGRW. The security of existing schemes [12,20,21] 
is also analyzed as applications of the RDIP and RGRW in 
Examples 17 and 21. Sect. VI gives the expression of the 
universal error correction capability in terms of the RGRW, 
and also analyze the error correction of [21] by the RGRW in 
Example 27. 

II. Preliminary 

A. Basic Notations 

Let H(X) be the Shannon entropy for a random variable X, 
H(X\Y) be the conditional entropy of X given Y, and I(X; Y) 
be the mutual information between X and Y [4]. We write 
\X\ as the cardinality of a set X. The entropy and the mutual 
information are always computed by using log ?m . 

Let F q stand for a finite field containing q elements and 
be an m-degree field extension of F 9 (m > 1). Let F^ denote 
an n-dimensional row vector space over F q . Similarly, ¥ n qm 
stands for an n-dimensional row vector space over F 9 >» . Unless 
otherwise stated, we consider subspaces, ranks, dimensions, 
etc, over the field extension F 9 » instead of the base field F 9 . 

An [n, k] linear code C over FL is a fc-dimensional subspace 
of ¥ n qm . Let C ± denote a dual code of a code C. A subspace 
of a code is called a subcode [15]. For C £ ¥" qlu , we denote by 
C\¥ q a subfield subcode of C over ¥ q [15]. Observe that dim C 
means the dimension of C as a vector space over F g m whereas 
dimC|F ? is the dimension of C\¥ q over ¥ q . 

For a vector v = [v\, . . . , v n ] e FL, and a subspace V c FL, 
we denote v q - [v[, . . . , v„~\ and V q — {v q : v e V}. Define a 
family of subspaces V c ¥ n qm satisfying V = V q by T{¥ n qm ) = 
{subspace V c ¥" q: „ : V = V q }. Also define r,(F^„) = {V e 
F(F^,„) : dim V = i). For a subspace VOFL, the followings are 
equivalent: 1) VeF(FJ„); 2) dim V = dim V|F 9 [22, Lemma 1]. 



B. Linear Network Coding 

As in [2,6,17,21,25], we consider a multicast communica- 
tion network represented by a directed multigraph with unit 
capacity links, a single source node, and multiple sink nodes. 
We assume that linear network coding [11,13] is employed 
over the network. Elements of a column vector space F™ xl 
are called packets. Assume that each link in the network can 
carry a single F 9 -symbol per one time slot, and that each link 
transports a single packet over m time slots without delays, 
erasures, or errors. 

The source node produces n packets X\, . . . , X n e F™ xl and 
transmits X\ , . . . , X„ on n outgoing links over m consecutive 
time slots. Define the m x n matrix X = [Xi, . . . , X n ] . The data 
flow on any link can be represented as an F 9 -linear combi- 
nation of packets X\, . . . ,X n e F™ xl . Namely, the information 
transmitted on a link e can be denoted as b e X T e F^ xm , where 
b e 6 F^ is called a global coding vector (GCV) of e. Suppose 
that a sink node has jV incoming links. Then, the information 
received at a sink node can be represented as anWxm matrix 
AX T e F^ xm , where A e F^ x " is the transfer matrix constructed 
by gathering the GCV's of Af incoming links. The network 
code is called feasible if every transfer matrix to a sink node 
has rank n over ¥ q . The system is called coherent if A is known 
to each sink node; otherwise, called noncoherent. 

III. Universal Security Performance and Universal Error 
Correction Capability of Secure Network Coding 

This section introduces the wiretap network model with 
packet errors and the nested coset coding scheme in secure 
network coding [6,17,21,25]. Then, we define the universal 
security performance in terms of the universal equivocation 
and the universal Q.-strong security on the wiretap network 
model. We also define the universal error correction capability 
of secure network coding. From now on, only one sink node 
is assumed without loss of generality. In addition, we focus on 
the fundamental case of coherent systems in this paper due to 
the space constraint. But, as in [21], all analysis in this paper 
can be easily adapted to the case of noncoherent systems. 

A. Wiretap Networks with Errors, and Nested Coset Coding 

Following [2,6,17,21,25], assume that in the setup of 
Sect. II-B, there is a wiretapper who has access to packets 
transmitted on any p links. Let r W be the set of \"W\ = p 
links observed by the wiretapper. Then the packets observed 
by the wiretapper are given by W J = BwX J , where rows of 
B<w e ¥ q xn are the GCV's associated with the links in r W. 

In the scenario [6,17,21,25], the source node first regards an 
m-dimensional column vector space ¥ q nxl as F 9 »., and fix / for 
1 </<«. Let S = [S\,. . . ,Si] e¥ l qm be the secret message, and 
assume that Si,..., Si are uniformly distributed over ¥ l qm and 
mutually independent. Under the wiretapper's observation, the 
source node wants to transmit S without information leakage 
to the wiretapper. To protect S from the wiretapper, the source 
node encodes S to a transmitted vector X = [Xi , . . . , X n ] € 
FL of n packets by applying the nested coset coding scheme 
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[3,5,23,24] on S. In [3,5], its special case is called a secret 
sharing scheme based on linear codes. 

Definition 1 (Nested Coset Coding Scheme). Let C\ Q W qm be 
a linear code over F q - (m > 1), and C2 £ C\ be its subcode 
with dimension dimC2 = dimCi- / over F 9 ». Let if/ : FL -> 
C1/C2 be an arbitrary isomorphism. For a secret message S e 
F^,„, we choose X from a coset if/(S) e C1/C2 uniformly at 
random and independently of S . 

Then, the source node finally transmit X over the network 
coded network. Def. 1 includes the Ozarow-Wyner coset cod- 
ing scheme [18] as a special case with C\ = ¥L. Hence, when 
we set Ci = F^„, this is the secure network coding based on 
Ozarow-Wyner coset coding scheme [6,17,21]. 

Corresponding to X transmitted from the source node, the 
sink node receives a vector of N packets Y e F^L. Here we 
extend the basic network model described in Sect. II-B to 
incorporate packet errors and rank deficiency of the transfer 
matrix A e F^ x " of the sink node. Suppose that at most / errors 
can occur in any of links, causing the corresponding packets 
to become corrupted. Then, as [19], Y can be expressed by 

T T = AX T + DZ J , 

where Z € ¥ qm is the t error packets, and D e F^ x ' is the 
transfer matrix of Z. We define p = n — rankA as the rank 
deficiency of A. In this setup, we want to decode S correctly 
from Y. If the network is free of errors and the network code 
used is feasible, X can be always reconstructed from Y T = AX J 
as described in Sect. II-B. Then, the coset if/(S), and hence S, 
is uniquely determined from X from Def. 1 . 

B. Definition of Universal Security Performance 

The security performance of secure network coding in the 
above model was measured by the following criterion [17,25]. 

Definition 2 (Equivocation). The minimum uncertainty 6 M of 
S given B^wX J for all possible 1V's (\ r W\ = fi) in the network 
is called equivocation, defined as = min 

As defined in Def. 2, 9^ depends on the underlying network 
code. In [17,25], 9 M for m — 1 was expressed in terms of the 
relative network generalized Hamming weight (RNGHW) of 
Ci and Ct_. The RNGHW is the value determined according to 
GCV's of all links in the network. Hence, the RNGHW cannot 
determine the equivocation over random linear network code 
[10]. Here, we extend Def. 2 by requiring the independence of 
the underlying network code, as follows. 

Definition 3 (Universal Equivocation). The universal equivo- 
cation & p is the minimum uncertainty of S given BX J for all 
B e Ff, defined as 

0^ = min H(S\BX J ). 

BeFf" 

As defined in Def. 3, 0^ does not depend on the set of 1V's 
in the network. Silva et al.'s universal secure network coding 
scheme based on MRD codes [21] achieves 0„_/ = H(S) in 
Def. 3 provided m>n. 



Def. 3 defines the security for the whole components of a 
message S = [S\, . . . ,5/]. Here we focus on the security for 
every part of S , and give the following definition. 

Definition 4 (Universal Q-Strong Security). Let S z = (Si '■ 
i e X) be a tuple for a subset Z. C {1, . . . , /}. We say that a 
secure network coding scheme attains the universal Q-strong 
security if we have 

I(S Z ; BX T ) = 0, \fZ, Vfi € HZI+1)X ". (1) 

As [9,16,20], a scheme with universal Q-strong security 
does not leak any \Z,\ components of S even if at most 
Q - \Z\ + 1 links are observed by the wiretapper. Moreover, 
this guarantee holds over any underlying network code as 
0^. We note that if a scheme achieves the Q-strong security, 
the universal equivocation 0^ for /i = fl — / + 1 must be 
0n-/+i = H(S) as shown in Def. 4. However, the converse 
does not always hold. 

The scheme in [12] achieves Q. = n- 1 provided m > l+n by 
nested coset coding with MRD codes. The universal strongly 
security in [20] is a special case of Def. 4 with Q. — n - 1 . 

C. Definition of the Universal Error Correction Capability of 
Secure Network Coding 

In the model described in Sect. Ill- A, the error correction 
capability of secure network coding, guaranteed over any 
underlying network code, is defined as follows. 

Definition 5 (Universally f-Error-p-Erasure-Correcting Secure 
Network Coding). A secure network coding scheme is called 
universally t-error-p-erasure-correcting, if 

H(S \Y) = 0, T T = AX T + DZ J , 

VAeFf<" : rankA >«-p, VX e if/(S), VDeFf*', VZeF^, 

i.e., S can be uniquely determined from Y against t errors over 
any underlying network code with at most p rank deficiency. 

Silva et al.'s scheme [21, Section VI] is universally f-error- 
p-erasure-correcting when the minimum rank distance [8] of 
Ci is greater than 2f + p. 

IV. New Parameters of Linear Codes and Their Properties 

This section introduce the relative dimension/intersection 
profile (RDIP) and the relative generalized rank weight 
(RGRW) of linear codes. In the following sections, these 
parameters are used to characterize the universal security 
performance and the universal error correction capability of 
secure network coding. 

A. Definition 

We first define the relative dimension/intersection profile 
(RDIP) of linear codes as follows. 

Definition 6 (Relative Dimension/Intersection Profile). Let 
Ci £ F^„ be a linear code and C2 £ C\ be its subcode. Then, 
the /-th relative dimension/intersection profile (RDIP) of C\ 
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and C 2 is the greatest difference between dimensions over F q m 
of intersections, defined as 

K R i{Cx,C 2 )= max {dim (Ci n V) - dim (C 2 n V)} , (2) 
for < ;' < «. 

Next, we define the relative generalized rank weight 
(RGRW) of linear codes as follows. 

Definition 7 (Relative Generalized Rank Weight). Let C\ Q 
F"„, be a linear code and C 2 £ C\ be its subcode. Then, the 
z'-th relative generalized rank weight (RGRW) of C\ and C2 is 
defined by 

M s ,,(Ci,C 2 ) 

= min{dimy : Ver(F^),dim(CinV)-dim(C 2 nV)>/}, (3) 

for < ; < dim(Ci/C 2 ). 

The relative dimension/length profile and the relative gen- 
eralized Hamming weight introduced in [14] are equivalent to 
Eqs.(2) and (3) with r,(F^) and T(F^,) replaced by suitable 
smaller sets, respectively. 

B. Basic Properties of the RDIP and the RGRW, and the 
Relation between the Rank Distance and the RGRW 

This subsection introduces some basic properties of the 
RDIP and the RGRW, and also shows the relation between 
the RGRW and the rank distance [8]. These will be used 
for expressions of the universal security performance and the 
universal error correction capability of secure network coding. 

First, we introduce the following theorem and lemma about 
the RDIP and the RGRW. 

Theorem 8 (Monotonicity of the RDIP). Let C\ c F n q „, be 
a linear code and C2 £ C\ be its subcode. Then, the z'-th 
RDIP K R j(Ci,C 2 ) is nondecreasing with i from K Rt o(Ci,C 2 ) = 
to K R JCi,C 2 ) = dim(Ci/C 2 ), and < K RM1 {d,C 2 ) - 
K R4 (CuC 2 ) < 1 holds. 

Proof: K R , (CuC 2 ) = and K R , n (C u C 2 ) = dim(Ci/C 2 ), 
are obvious from Def. 6. Recall that 

Ti(F" qm ) = {y c F n qm : y = {uG : it e f;,„), G e Ff, rankG = z) , 

for 1 < z < n from [22, Lemma 1]. This implies that for 
any subspace V\ e r i+1 (F^ m ), there always exist some y 2 's 
satisfying V 2 e r,-(F^) and V 2 £ Vi. This yields K RJ (C U C 2 ) < 
K R j+i(Ci,C 2 ). 

Next we show that the increment at each step is at most 1 . 
Consider arbitrary subspaces V, V e T(K.) such that dim V = 
dim y + 1 and V £ V. Let / = dim (Ci n V) - dim (C 2 n V); 
g = dim (Ci n V) - dim (C 2 n V). Since dim (Ci n V) + 1 > 
dim(Ciny')>dim(Ciny) andC 2 £Ci,we have/+l >g>f 
and hence K R4 (C U C 2 ) + 1 > K RJ+l (C u C 2 ) > K R4 (C U C 2 ). ■ 

Lemma 9. Let C\ Q F" q ,„ be a linear code and C 2 £ C\ 
be its subcode. Then, the i-th RGRW M RJ (CuC 2 ) is strictly 



increasing with i. Moreover, M R $(C\,C 2 ) = and 
M RJ (CuC 2 ) = min{; : K R j(C u C 2 ) = i] 

= min {dim V : V e T(F" q ,„), dim (d nV)- dim (C 2 n V) = i) , 
where < ;' < dim (C\/C 2 ). 

Proof: First we have 
mm{j:K RJ (Ci,C 2 )>i} 

= min{j : 3V eYj(F n q ,„), such that dim (Ci ny)-dim (C 2 ny) >/} 
= min {dim V : V e r(F^,), dim (Ci n V) - dim (C 2 n V) > i} 
= M«,,(Ci,C 2 ). 

From Theorem 8, we have {j f : K R j{C\,C 2 ) = n 
{7 : £x,/Ci,C 2 ) > i + l} = 0. We thus have 

M RJ (CuC 2 ) = min{j : K RJ (C U C 2 ) > i] 
= min[j: K RJ (CuC 2 ) = i}. 
Therefore the RGRW is strictly increasing with ;' and thus 

M RJ (CuC 2 ) 

= min {dim V : V e T(F^), dim (Ci n V) - dim (C 2 nV) = i} , 

is established. ■ 
Next, we show the relation between the rank distance [8] 
and the RGRW. Let 4> m : F ? ». -> F™ xl be an F 9 -linear 
isomorphism that expands an element of F 9 ». as a column 
vector over F 9 with respect to some fixed basis for F q m over F q . 
Then, we define the rank over F q of a vector x = [x\, . . . , x„] e 
F n qm , denoted by rankp 9 (x), as the rank of m x n matrix 
[<p m {x\), ■ ■ ■ , <t>m(Xn)] ov er F q . The rank distance [8] between 
two vectors y g F n qm is given by d R (x,y) - rank Fi; (^- x). 
The minimum rank distance [8] of a code C is given as d R (C) = 
min{d R (x, y) : x,yeC,x^y} = min{d R (x,v) : xeC,x±Q}. For 
a subspace V QF n qm , we define by V* = YZo y9 ' the sum of 
subspaces V, V q , . . . , V 9 ""' . 

Lemma 10. For a subspace V c F^ m with dim V = 1, we have 
dim y* = du(V). 

Proof: Let o = [fci,...,fc„]eVbe a nonzero vector, which 
implies rank F (£)=d«(V). Let M = \ai,] m ' n eF™ x ", / = 

9 L ' J lij= 1 y ,J J 

Each vector in y* is represented by an F 9 ». -linear combination 
of b,b q , . . .,b q "~\ and hence dim V* = rankM. 

For a\,a 2 e ¥ q ,p u Pi g F r , we have ai(f> m (J3i)+a 2 (p m (B 2 ) = 
($> m (a\B\ + a 2 /3 2 ). This implies that there always exists some 
p e p«x« with ran kp = „ satisfying 

^ = [ffi,...,^(v),0,...,0]eF5.,^#0, (4) 

where . . . ,#d R (y) are linearly independent over F g , and 
note that P represents the elementary column operation on 
[<p m (bi),. . .,(p m (b n )]. Also for a u a 2 e F q , B U B 2 e F q „, we 
have aiySf + a 2 0[ = (or^i + a 2 /3 2 ) 9 ' (0 < i < m - 1). 
Hence, for P e F n q xn satisfying Eq. (4), we also have b q P = 
\g\, g q dR{yy 0, . . . , 0] e F^ for all < i < m - 1. Thus, by 
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the elementary column operation on M over F ?) represented 
by P, we get MP. By eliminating zero columns from MP, 

r -im,d R (V) J-\ 

we obtain a matrix M' = , /jj = , where 

rankM' = rankM. Let M' k e F^ ds(v) (1 < Jfc < rf*(V)) be 
the submatrix consisting of the first k rows of M' . Since 
d R iV) < min{m, n] and gi,..., gd R (V) are linearly independent, 
M' k is the generator matrix of [d R (V), fc] Gabidulin code and 
rankM^ = k [8]. Thus, M' dit(V) is nonsingular, and hence we 
have rankM^ (V/) = rankM' = d R (V). Therefore, dim V* = 
rank M = rankM' = d R (V). ■ 

Lemma 11. For a code C\ Q F" and its subcode C2 £ 
Ci, the first RGRW can be represented as M S j(Ci,C 2 ) = 
min \d R (x, 6) : x e Ci\C 2 }. 

Proof: M R (C\,C2) can be represented as 

M S , 1 (C 1 ,C 2 ) 

= min {dim W : W€r(F^,),dim(Ci n W)-dim(C 2 n W)>l} 
= min {dim W : W e T(F^), 

3V cw such that Vc(Ci n W), V£(C 2 n W),dim V> l}. (5) 

For any subspace V c F" with dim V> 1, there always exists 
some WeF(F^,„) satisfying W2 V, because we have V* eF(F^,„) 
and V* 2 V. Also, for subspaces W and V c W with dim V> 1, 
if W is the smallest space in T(F" ) including V, then W = V* 
[22]. Thus Eq. (5) can be rewritten as 

min {dim W : VcF^,dimV>l 

3WDV,WeT(F" qm ), such thatVc(d n W),V£(C 2 n W)) 

= min{dim V* : VQ¥ qm , Vc(CinV*), V£(C 2 nV*),dim V > l} 

= min {dim V* : V c Ci, V £ C 2 ,dim V > 1), (6) 

where the last equality of Eq. (6) is obtained by V c (Ci n 
V*) <=> V c Ci, and V g (C 2 n V*) <=> V ^ Ci from V 2 V. 
For subspaces V and V 2 V, we have dim V* < dim V*. 
Therefore, Eq. (6) can be rewritten as follows. 

min {dim V : V c C u V £ C 2 ,dim V > 1) 

= min {dim V* : V c Ci, V <£ C 2 ,dim V = 1} 

= min { rfjf(V) : V c Ci , V £ C 2 , dim V = 1 } (by Lemma 10) 

= mm{d R (x,d):xeCi\C 2 }- a 
Lemma 1 1 immediately yields the following corollary. 

Corollary 12. For a linear code C, d R (C) = M RJ (C, {0}) holds. 

This shows that M Rj i(-,{0}) is a generalization of d R (-). 
Now we present the following proposition that generalizes the 
Singleton-type bound of the rank distance [8]. 

Proposition 13 (Generalization of Singleton-Type Bound). 
Let C\ c F^„ be a linear code and C 2 £ C\ be its subcode. 
Then, the RGRW of C\ and C 2 is upper bounded by 

{in I 
-, Kw-dimCi) + i, (7) 
(n -dimC 2 ) J 



for 1 < i < dim(Ci/C 2 ). 

Proof: We can consider that C 2 is a systematic code 
without loss of generality. That is, the first dimC 2 coordinates 
of each basis of C 2 is one of canonical bases of ¥^T Cl . Let 
S £ V n qm be a linear code such that C\ is a direct sum of C 2 
and S. Then, after suitable permutation of coordinates, a basis 
of S can be chosen such that its first dimC 2 coordinates are 
zero. Then, the effective length [7] of a code S is less than or 
equal to n - dimC 2 . Hence we have 

{Til I 
1, ^— - > (n - dim C 2 - dim S) + 1, 
n-dimC 2 J 

= minil, l(n-dimCi) + l, (8) 

( n-dimC 2 J 

from the Singleton-type bound for rank metric [8]. 

Here we write k = min {1, m/(n - dim C 2 )} for the sake of 
simplicity. Recall that d R (S) = M RA (S,{0}) from Corol. 12, 
and M«,i(<S, {0}) < k{u - dim C\) + 1 holds from Eq. (8). 

We shall use the mathematical induction on t. We see that 
Eq. (9) is true for t = 1. Assume that for some t > 1, 

M S ,XS, {5}) < Kin - dim CO + f, (9) 

is true. Then, by the monotonicity shown in Prop. 9, 

M R , I+1 (S, {6}) < M R /S, {6}) + \<K{n- dimCi) + 1 + 1, 

holds. Thus, it is proved by mathematical induction that Eq. (9) 
holds for 1 < t < dim(Ci/C 2 ). 

Lastly, we prove Eq. (7) by the above discussion about the 
RGRW of S and {6}. For an arbitrary fixed subspace V c FJ„, 
we have dim (Ci n V) > dim (Sn V)+dim (C 2 nV), because C\ is 
a direct sum of S and C 2 . Hence, dim (Ci n V)-dim (C 2 nV) > 
dim (S n V) holds, and we have M RJ (Ci,C 2 ) < M R4 (S,{0}) 
for 1 < i < dim(Ci/C 2 ) from Def.7. Therefore, from the 
foregoing proof, we have 

M RJ (Ci,C 2 ) < M RJ (S, {6}) < Kin - dim Ci) + i, 

for 1 < i < dim (Ci/C 2 ), and the proposition is proved. ■ 
Prop. 13 immediately yields the following corollary. 

Corollary 14. For a linear code C c F^„, M s ,,(C,{0*}) < 
min{l, m/n}(n - dimC) + ; for 1 < i < dimC. The equality 
holds for all i if and only if C is an MRD code. 

V. Universal Security Performance on Wiretap Networks 

In this section, we express 0^ and 12 given in Sect. III-B 
in terms of the RDIP and RGRW. From now on, we use the 
following definition. 

Definition 15. For BeF^ x ", we define V B ^{uB : i?eF^}cF^. 

Recall that if an ¥ q m -linear space V c F qm admits a basis in 
F^ then V e r(F^,„) [22], which implies 

Vb e r(F^). (10) 

First, we give the following theorem for the universal 
equivocation 0^ given in Def. 3 
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Theorem 16. Consider the nested coset coding in Def. 1 . 
Then, the universal equivocation 0^ of Ci,C 2 is given by 

%=l-K Rs (C$,Cf). 

Proof: Let B € F^ x " be an arbitrary matrix. By the chain 
rule [4], we have the following equation for the conditional 
entropy of S given BX T : 

H(S\BX T ) = H(S,X\BX T ) - H(X\S,BX T ) 

= H(X\BX T ) + H(S \X, BX T ) - H(X\S,BX T ) 
= H(X\BX T ) - H(X\S, BX T ). (11) 

Then, from [25, Proof of Lemma 4.2], we have 

H(X\BX T ) = n - dim Cf - dim V B + dim (Cf n V B ), 
H(X\S,BX T ) = n - dim Cf - dim V B + dim (Cf n V B ). 

By substituting these equations into Eq. (11), we have 

H(S\BX T ) = dimCf-dimCf-dim^ n V B )+d\m (Cf n V B ) 
= I - dim (Cf n V B ) + dim (Cf n V B ). (12) 

By Eq. (10) we have 

{v B :BePf n } = \Jr i (F n qm ). (13) 

Thus, by Eq. (12) and Def. 6, the universal equivocation 0^ is 
given as follows. 

0„ = min H(S\BX T ) 

BeFf" 

= I - max {dim (Cf n V B ) - dim (Cf n V B )} 

= /- max (dim(Cf nV)-dim(Cfn V))(byEq.(13)) 

Ve[J, Sl ,r,(W m ) l z 

— I — max {dim(Cf n V)-dim(CfnV))(by Thm. 8) 

Ver„(F» m )^ I 

= ' - K Rtfl (Cf, Cf). a 

Example 17. The existing schemes [12,20,21] used MRD 
codes as Cf and Cf, where m > n. By Corol. 12, we have 
dim(V n Cf) = for any V e r dimC2 (F^). This implies 
K R ^(Cf, Cf) = K RtM (Cf, {6}) = for < 11 < dim C 2 . 

On the other hand, ^dimCiCCj , {5}) = dimCi - dimC2 by 
Corol. 14. Since dim(V n Cf) = for any V e r dimCl (F^) 
by Corol. 12, we have X SidimCl (C 2 L ,C^) = dimCi-dimC2. By 
Theorem 8, K Rtft (Cf, Cf)^n-d\mC 2 for dimC 2 <^<dimCi. 

By Theorem 16, we see that 0^, = /-max[0,^-dim C2} for 
0<yu<dimCi(= Z+dimC 2 ) in the schemes [12,20,21]. 

We then have the following corollary by the RGRW. 
Corol. 18 shows that the wiretapper obtain no information of 
S from any M RA (Cf,Cf) - 1 links. 

Corollary 18. Consider the nested coset coding in Def. 1 . 
Then, the wiretapper must observe at least M R j(Cf,Cf) links 
to obtain the mutual information j (1 < j < I) between S and 
observed packets. 



Proof: From Eq. (12), the smallest number // of tapped 
links satisfying I(S;BX T ) = j (1 < j < I) is 

min : 3B e Ff ", I(S ; BX T ) = j] 

= min [n : 3B e Ff I - H(S \BX T ) = j) 

= min [n : 3B e Ff dim (Cf n V B ) - dim (Cf n V B ) = 7} . 

From [22, Lemma 1] and Lemma 9, this equation can be 
rewritten as follows. 

min {ju : 3B e Ff dim (Cf n V B ) - dim (Cf n V B ) = j} 

= min {dim V : V e F(F^,„), dim (Cf n V) - dim (Cf nV) = j) 

= M s> /c 2 L ,cf). a 

Although the message 5 has been assumed to be uniformly 
distributed over V l qm in Sect. Ill- A, the following proposition 
reveals that the wiretapper still obtain no information of S 
from any M R ,\(Cf,Cf) - 1 links even if S is arbitrarily 
distributed. 

Proposition 19. Fix the transfer matrix B to the wiretapper. 
Suppose that the wiretapper obtain no information of S from 
BX J when S is uniformly distributed over ¥ l qm as described in 
Sect. Ill- A. Then, even if S is chosen according to an arbitrary 
distribution over F' m , the wiretapper still obtain no information 
of S from BX T , that is, I(S ; BX T ) = 0. 

Proof: When we assume that S is arbitrarily distributed 
over FL, H(X\S , BX T ) is upper bounded as follows from [21, 
Proof of Lemma 6] and [25, Proof of Lemma 4.2]. 

H(X\S,BX T ) < n -dimCf -dimy B + dim(C2 n V B ). 

Also, since X is uniformly distributed over a coset ifr(S) e 
C1/C2 for fixed S, we have H(X\S) = dimC 2 = n - d\rr\Cf. 
For the dimension of a subspace {BX T : X eC\], we have 

d\m{BX T :IeCi) = rankBG T = rankGfl T 

= dim \Gf :veV B } = dim V B - dim (Cf n V B ), 

where G £ F^T ClX " is a generator matrix of C\. Hence we 
have H(BX T ) < dim V B - dim (Cf n V B ). We thus have 

7(5 ; BX T ) =I(S,X; BX T ) - I(X; BX T \S ) 

= H(BX T ) - H(X\S) + H(X\S, BX T ) 

< dim (Cf n v B )- dim (CfnV B ) (14) 

for any distribution of S . By I(S ; BX T ) = H(S)-H(S \BX T ) and 
Eq. (12) we can see that the equality holds if S is uniformly 
distributed. Therefore, for fixed B, if I(S;BX T ) = holds for 
uniformly distributed S, then the right hand side of Eq. (14) 
is zero, which implies that I(S ; BX J ) = also holds for 
arbitrarily distributed S from the nonnegativity of mutual 
information [4]. ■ 
Lastly, we express Q. in Def. 4 in terms of the RGRW. For 
a subset J c {1,...,AT} and a vector c = [c\,...,cn] e 
F^„, let Pj(c) be a vector of length \J\ over F r , ob- 
tained by removing the /-th components c, for t JT- For 
example for J" = {1,3} and c = [1,1,0,1] (N = 4), 



6 



we have Pj(c) — [1,0]. The punctured code Pj(C) of 
a code C e F^„ is given by Pj(C) = {Pj(c) : c e C}. 
The shortened code Cj of a code C Q F^L is defined 
by Cj = \Pj(c) :?=[cu...,c N ]€C,Ci = for i t J}. For 
example for C = {[0,0,0], [1, 1,0], [1,0, 1], [0, 1, 1]} (N = 3) 
and J = {2, 3}, we have Cj = {[0, 0], [1, 1]}. We then have the 
following theorem for the universal Q-strong security defined 
in Def. 4. 

Theorem 20. Let {7} = {1, ...,/ + n}\{i). Fix C u C 2 and 
in Def. 1 and consider the corresponding nested coset coding 
scheme in Def. 1. By using C\, C 2 and 0, define 

C\ = {[S,X] : 5 e and X e 0(5)} c F^,". 

For each index 1 < i < I, we define a punctured code Dij of 
C\ as £> u = PfjjCCj) c F^r 1 , and a shortened code £> 2 ,; of 
C; as D24 = (P[)fi c F^T 1 . Then, the value O in Def. 4 is 
given by 

Q. = min {M R>1 (^., D] 1 ,.) : 1 <;</}- 1 . (15) 

Proof: Define C 2 = {[6,c 2 ] : c 2 e C 2 \ £ F^,". Since 
C 2 i Ci, C 2 is also a subcode of C[. Thus, in terms of C[ and 
C' 2 , we can see that the vector [S,X] e F^t," is generated by a 
nested coset coding scheme of C[ and C' 2 from 5 . Then, from 
the definition of C[ and C' 2 , we can see that D 2 j is a subcode 
of Dij with dimension dim D 2 j = dim®!,, - 1 = dimCi - 1 
over F 9 ». for each i 6 {1, . . . , /}. 

Let .£ Ml,...,/} and 5 XV{() ± [5 15 . . . ,5,-_i,5, + i, . . . ,5,] 
for each 1 < i < I. For 5 , e F 9 »> define a coset 

<P(Sd = {[S mh X] : S £Mi] e F^ 1 and X e 0(5)} e £> M /£>2,«. 

Here we define Z {7) ± P^([S,X]) = [5 X \ { ,),X] € £>i,,. 
Recall that 5 1 , . . . , 5/ are mutually independent and uniformly 
distributed over F ? ™. Thus, considering a nested coset coding 
scheme that generates from a secret message 5; € V q m 
with D u £> 2 , we can see that Z (7) E 0(5,-) e D hi /D 2 ,i 
is chosen uniformly at random from 0(5,-). Therefore, we 
have I(Sr,DZl) = for any D e f£ x( " + ' _1) whenever 
< M R> i(£>^.,£>^) from Corol. 18. 

For an arbitrary subset Kc£\{i), define a matrix F K that 
consists of 1^1 rows of an (/ - 1) X (/ - 1) identity matrix, 
satisfying [S j : j e H] 1 = FrS^,^. For an arbitrary matrix 
B e F* x " (0<fe<n), set D = [ F g £]. Then, from the foregoing 
proof, we have 

= 7(5 ,-; 7)Zl) = 7(5,-; S*. 7?X T ) = 77(5 ,|5«) - H(S t \BX T , S K ) 

= 77(5,) - 7/(5 ,|BX T , Sr) = 7(5,; BX t \Sk), 

whenever \<R\ + k< Mi(^.,B|.). Since 7(5,; BX T \S K ) = is 
equivalent to Eq. (1) from [20, Prop. 5], we have Eq. (15) by 
selecting the minimum value of M R ^(!D 2j , for 1 <i<l. 

■ 

Example 21. The scheme proposed in [12] used a systematic 
MRD code as C\ (not Ci), where m > I + n. We proved 
mm{M Rtl (D^ l ,Df i ) : 1 <;'</} = « in [12, Proof of Theorem 



4]. By Theorem 20, we see that the scheme [12] attains the 
universal (n - l)-strong security in the sense of Def. 4, while 
[12] proved it by adapting the proof argument in [20]. 

As shown in Prop. 19, no information of 5 is leaked from 
less than M Ryi (C 2 ,Cf) tapped links even if 5 is arbitrarily 
distributed. In contrast, 5 must be uniformly distributed over 
F^„ to establish Theorem 20. This is because elements of 5 
need to be treated as extra random packets, as in strongly 
secure network coding schemes [9,16,20]. 

VI. Universal Error Correction Capability of Secure 
Network Coding 

This section derives the universal error correction capability 
by the approach of [19, Section III]. Recall that the received 
packets Y is given by Y T = AX T + DZ T in the setup of 
Sect. Ill- A, and that X is chosen from the coset 0(5) € C1/C2 
corresponding to 5 by the nested coset coding in Def. 1 . From 
now on, we write X = 0(5 ) for the sake of simplicity. 

First, we define the discrepancy [19] between X and Y by 

A A (^,T) = min{reN : De¥^ xr ,ZeF r r ,XeX, Y T =AX T +DZ T ] 
= min [d R (XA T , Y) : X e X] , (16) 

where the second equality is derived from [19, Lemma 4]. 
This definition of Aa(X, Y) represents the minimum number r 
of error packets Z required to be injected in order to transform 
at least one element of X into Y, as [20, Eq. (9)]. 

Next, we define the A-distance [19] between X and X', 
induced by Aa(X, Y), as 

6 A (X, X') ± min {A A (*, Y) + A A (X', Y) : Y e F^j , (17) 

for X,X' eCi/C 2 . 

Lemma 22. For X, X' e C\ /C 2 , we have 

6 A (X,X') = mm[d R (XA J ,X'A T ) : X e X,X' e X') . (18) 

Proof: First we have 

6 A (X, X') = min [a a (X, Y) + A A (X', Y) : Y e F^,} 

= min { min {d R (XA T , Y) : X e X) 

+ min {d R (X'A T , Y) : X' e X'} : Y e F^,} 

= min{^(XA T , Y)+d R (XA T , Y) : XeX,X'eX', TeF^J . (19) 

The rank distance satisfies the triangle inequality 
d R (XA T ,XA T ) < d R (XA T ,Y) + d R (X'A T ,Y) for VT e F^ 
[8]. This lower bound can be achieved by choosing, 
e.g., Y = XA T . Therefore, from Eq. (19), we have Eq. (18). ■ 
The next lemma shows that A A (X, Y) is normal [19, Defi- 
nition 1]. 

Lemma 23. For all X,X' e Ci/C 2 and all < i < 6 A (X,X'), 
there exists some Y £ ¥ n q „, such that A A (X, Y) = i and 
A A (X',Y) = d A (X,X')-i. 

Proof: Let X,X' e C1/C2 and let < i < d = 
6 A (X,X'). Then, d = mm{d R (XA T ,X'A J ) : X e X,X' e X') 
from Lemma 22. Let X e X and X' e X' be vectors 
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satisfying d = d R (XA T ,X'A T ). From the proof of [19, Theorem 
6], we can always find two vectors W, W e FL, such that 
W + W = (X'_ - X)A T , rankp (W) = i and rank F ,(W' ) = d-i. 
Taking Y = XA T + W = X'A T - W, we have d R (XA T , Y) = i 
and d R (X'A T , Y) = d - i. We thus obtain A A (X, Y) < i and 
A A (X', Y) < d — i from Eq. (16). On the other hand, since 
8 A {X,X') = d, we have A A (X,Y) + A A (X',Y) > d for any 
Y e FL from from Eq.(17). Therefore, A A (X, Y) = i and 
A A (X' , Y)=d-i hold. ■ 
Let 8 A (Ci/C 2 ) be the minimum A-distance given by 

5 A (CilC 2 ) = mm{6 A (X,X') : X, X' e Ci/C 2 ,X * X'\ . 

As [19, Theorem 7], from Lemma 23 and [19, Theorem 3], 
we have the following proposition. 

Proposition 24. A nested coset coding scheme with Ci,C 2 
is guaranteed to determine the unique coset X against any t 
packet errors for any fixed A if and only if 6 A (C\ICi)>2t. ■ 

Here we note that if X is uniquely determined, S is also 
uniquely determined from Def. 1. 

Lemma 25. 6 A (Ci/C 2 ) = mm{d R (XA T , XA T ) : X,X'eC u X'- 
XiC 2 ). 

Proof: 

S A (Ci/C 2 ) = mm{6 A (X,X') : X,X' e d/C 2 ,X * X'\ 
= min{min{^(XA T , XA T ) :XeX,X'eX'}: X, X'e Ci/C 2 ,X±X'} 
= min [d R (XA T , X'A T ) : X e X e C\ /C 2 , X' e X' eCi /C 2 , X * X' } 
= min [d R (XA T , X'A T ) : X, X' e C\ , X' - X t C 2 ) . u 

Theorem 26. Consider the nested coset coding in Def. 1 . 
Then, the scheme is a universally (i.e., simultaneously for all 
A e F^ x " with rank deficiency at most p) f-error-p-erasure- 
correcting secure network coding if and only if M Rt \(Ci,C 2 ) > 
2t+p. 

Proof: For the rank deficiency p — n- rank A, we have 
d R (X,X')-p<d R (XA T ,X'A T ), and there always exists A e Ff 01 
depending on (X,X') such that the equality holds. Thus, from 
Lemma 25, we have 

min S A (Ci/C 2 ) = mm{d R (X,X') : X,X' eC u X' -X£C 2 }-p 

AeV N>o,. 

rankA= "~ P = min [d R (X, 6):XeC u XtC 2 }- P 

= M Ri \(C\,C 2 ) - p. (by Lemma 11) 

Therefore, we have min d A (Ci/C 2 )< min S A (Ci/C 2 ) 

A:rankA=n-p A:ranWA=n-p' 

for p > p', and hence we obtain min S A (C\/C 2 ) = 

A:rankA>n-p 

min 6 A (Ci/C 2 ) = M R ,i(Ci,C 2 )-p. ■ 

A:rankA=n-p 

Example 27. The existing scheme [21] used MRD codes 
as Ci,C 2 , where m > n. Then, by Corol. 14, we have 
M Si i(Ci,{0}) = n - dimCi + 1. Since dim(V n C 2 ) = for 
any V e r dimC x(F^) by Corol. 12 and dimCj > n - dimCi, 
we have M Rtl (CuC 2 ) = M Ril (C u 0})- Thus, by Theorem 26 



and Corol. 12, the scheme is universally f-error-p-erasure- 
correcting when M s (Ci,{0}) = d R (C\) > 2t + p, as shown 
in [21, Theorem 11]. 
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